Effects much worse for other distributions than expected
Posted May 15, 2008 10:48 UTC (Thu) by erich
Parent article: Debian vulnerability has widespread effects
What concerns me most is that other distribution users are likely to assume they're safe. They're not necessarily so. They're only safe if none of their users is/was running Debian or Ubuntu.
It's very simple:
- Server A runs some 'unaffected' Linux distribution
- User B is runinng an 'affected' Linux distribution
- User B enables key-based logins on Server A to his account / maybe even the root account
- Since his key is weak, Logins to Server A can be bruteforced easily.
So if any of your users might be running Debian or Ubuntu - so if he might have a weak key - you should update OpenSSH
to a version with the blacklist of known weak keys shipped by Debian and Ubuntu.
to post comments)